A hybrid machine learning approach to network anomaly detection

Authors:
Taeshik Shon;Jongsub Moon
Affiliations:
IP Lab, TN R&D Center, Dong Suwon P.O. Box 105, Maetan-3dong, Suwon 442-600, Republic of Korea;CIST/GSIS, Korea University, 5-ga, Anamdong, Seongbukgu, Seoul 136-701, Republic of Korea
Venue:
Information Sciences: an International Journal
Year:
2007

Citing 21
Cited 31

Adaptation in natural and artificial systems

Adaptation in natural and artificial systems
The nature of statistical learning theory

The nature of statistical learning theory
Support-Vector Networks

Machine Learning
An introduction to genetic algorithms

An introduction to genetic algorithms
Locally Weighted Learning

Artificial Intelligence Review - Special issue on lazy learning
Properties of support vector machines

Neural Computation
Efficient algorithms for mining outliers from large data sets

SIGMOD '00 Proceedings of the 2000 ACM SIGMOD international conference on Management of data
Ensemble of structure-adaptive self-organizing maps for high performance classification

Information Sciences: an International Journal - methods and systems for intelligent human—computer interaction
Hierarchical classification of Web content

SIGIR '00 Proceedings of the 23rd annual international ACM SIGIR conference on Research and development in information retrieval
Practical automated detection of stealthy portscans

Journal of Computer Security
Estimating the Generalization Performance of an SVM Efficiently

ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
Comparing the template method and strategy design patterns in a genetic algorithm application

ACM SIGCSE Bulletin
Statistical Traffic Modeling for Network Intrusion Detection

MASCOTS '00 Proceedings of the 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems
Identifying Important Features for Intrusion Detection Using Support Vector Machines and Neural Networks

SAINT '03 Proceedings of the 2003 Symposium on Applications and the Internet
Analysis of a Denial of Service Attack on TCP

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Information-Theoretic Measures for Anomaly Detection

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Testing network-based intrusion detection signatures using mutant exploits

Proceedings of the 11th ACM conference on Computer and communications security
Supervised learning on a fuzzy Petri net

Information Sciences—Informatics and Computer Science: An International Journal
Classification methods in the detection of new malicious emails

Information Sciences—Informatics and Computer Science: An International Journal
Estimating the Support of a High-Dimensional Distribution

Neural Computation
Wide-area Internet traffic patterns and characteristics

IEEE Network: The Magazine of Global Internetworking

Hierarchical multi-pattern matching algorithm for network content inspection

Information Sciences: an International Journal
A hybrid artificial immune system and Self Organising Map for network intrusion detection

Information Sciences: an International Journal
A fuzzy-genetic approach to network intrusion detection

Proceedings of the 10th annual conference companion on Genetic and evolutionary computation
Local anomaly detection for mobile network monitoring

Information Sciences: an International Journal
Multiple criteria mathematical programming for multi-class classification and application in network intrusion detection

Information Sciences: an International Journal
The generic genetic algorithm incorporates with rough set theory - An application of the web services composition

Expert Systems with Applications: An International Journal
A triangle area based nearest neighbors approach to intrusion detection

Pattern Recognition
Review: Intrusion detection by machine learning: A review

Expert Systems with Applications: An International Journal
Detecting Network Anomalies Using CUSUM and EM Clustering

ISICA '09 Proceedings of the 4th International Symposium on Advances in Computation and Intelligence
Anomaly intrusion detection by clustering transactional audit streams in a host computer

Information Sciences: an International Journal
An SVM-based machine learning method for accurate internet traffic classification

Information Systems Frontiers
Discernibility analysis and accuracy improvement of machine learning algorithms for network intrusion detection

ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Complex system fault diagnosis based on a fuzzy robust wavelet support vector classifier and an adaptive Gaussian particle swarm optimization

Information Sciences: an International Journal
Evolution strategies based adaptive Lp LS-SVM

Information Sciences: an International Journal
Building a qualitative recruitment system via SVM with MCDM approach

Applied Intelligence
AI based supervised classifiers: an analysis for intrusion detection

ACAI '11 Proceedings of the International Conference on Advances in Computing and Artificial Intelligence
A cascaded classifier approach for improving detection rates on rare attack categories in network intrusion detection

Applied Intelligence
Prediction of disulfide bonding pattern based on a support vector machine and multiple trajectory search

Information Sciences: an International Journal
Masquerader classification system with linux command sequences using machine learning algorithms

ICDEM'10 Proceedings of the Second international conference on Data Engineering and Management
An intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection

Applied Soft Computing
An evaluation of clustering technique over intrusion detection system

Proceedings of the International Conference on Advances in Computing, Communications and Informatics
New class-dependent feature transformation for intrusion detection systems

Security and Communication Networks
idMAS-SQL: Intrusion Detection Based on MAS to Detect and Block SQL injection through data mining

Information Sciences: an International Journal
An anomaly-based detection in ubiquitous network using the equilibrium state of the catastrophe theory

The Journal of Supercomputing
A hybrid-forecasting model reducing Gaussian noise based on the Gaussian support vector regression machine and chaotic particle swarm optimization

Information Sciences: an International Journal
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues

Information Sciences: an International Journal
NetGator: malware detection using program interactive challenges

DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Enhanced pose normalization and matching of non-rigid objects based on support vector machine modelling

Pattern Recognition
Dynamic entropy based DoS attack detection method

Computers and Electrical Engineering
Anomaly secure detection methods by analyzing dynamic characteristics of the network traffic in cloud communications

Information Sciences: an International Journal
A distance sum-based hybrid method for intrusion detection

Applied Intelligence

Quantified Score

Hi-index	0.07

Visualization

Abstract

Zero-day cyber attacks such as worms and spy-ware are becoming increasingly widespread and dangerous. The existing signature-based intrusion detection mechanisms are often not sufficient in detecting these types of attacks. As a result, anomaly intrusion detection methods have been developed to cope with such attacks. Among the variety of anomaly detection approaches, the Support Vector Machine (SVM) is known to be one of the best machine learning algorithms to classify abnormal behaviors. The soft-margin SVM is one of the well-known basic SVM methods using supervised learning. However, it is not appropriate to use the soft-margin SVM method for detecting novel attacks in Internet traffic since it requires pre-acquired learning information for supervised learning procedure. Such pre-acquired learning information is divided into normal and attack traffic with labels separately. Furthermore, we apply the one-class SVM approach using unsupervised learning for detecting anomalies. This means one-class SVM does not require the labeled information. However, there is downside to using one-class SVM: it is difficult to use the one-class SVM in the real world, due to its high false positive rate. In this paper, we propose a new SVM approach, named Enhanced SVM, which combines these two methods in order to provide unsupervised learning and low false alarm capability, similar to that of a supervised SVM approach. We use the following additional techniques to improve the performance of the proposed approach (referred to as Anomaly Detector using Enhanced SVM): First, we create a profile of normal packets using Self-Organized Feature Map (SOFM), for SVM learning without pre-existing knowledge. Second, we use a packet filtering scheme based on Passive TCP/IP Fingerprinting (PTF), in order to reject incomplete network traffic that either violates the TCP/IP standard or generation policy inside of well-known platforms. Third, a feature selection technique using a Genetic Algorithm (GA) is used for extracting optimized information from raw internet packets. Fourth, we use the flow of packets based on temporal relationships during data preprocessing, for considering the temporal relationships among the inputs used in SVM learning. Lastly, we demonstrate the effectiveness of the Enhanced SVM approach using the above-mentioned techniques, such as SOFM, PTF, and GA on MIT Lincoln Lab datasets, and a live dataset captured from a real network. The experimental results are verified by m-fold cross validation, and the proposed approach is compared with real world Network Intrusion Detection Systems (NIDS).